From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 2/2] package/wpa_supplicant: add upstream 2019-1, 2, 3 security patches
Date: Thu, 11 Apr 2019 12:42:14 +0200 [thread overview]
Message-ID: <20190411104215.8317-2-peter@korsgaard.com> (raw)
In-Reply-To: <20190411104215.8317-1-peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2019-9494 (cache attack against SAE)
For details, see the advisory:
https://w1.fi/security/2019-1/sae-side-channel-attacks.txt
- CVE-2019-9495 (cache attack against EAP-pwd)
For details, see the advisory:
https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt
- CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
For details, see the advisory:
https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
Notice that SAE is not currently enabled in Buildroot, but the patches are
included here anyway for completeness.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/wpa_supplicant/wpa_supplicant.hash | 10 ++++++++++
package/wpa_supplicant/wpa_supplicant.mk | 11 +++++++++++
2 files changed, 21 insertions(+)
diff --git a/package/wpa_supplicant/wpa_supplicant.hash b/package/wpa_supplicant/wpa_supplicant.hash
index 5b5d5fcab2..9f0dec8bfa 100644
--- a/package/wpa_supplicant/wpa_supplicant.hash
+++ b/package/wpa_supplicant/wpa_supplicant.hash
@@ -1,3 +1,13 @@
# Locally calculated
sha256 76ea6b06b7a2ea8e6d9eb1a9166166f1656e6d48c7508914f592100c95c73074 wpa_supplicant-2.7.tar.gz
+sha256 86979655f1c5a9578acbf83e8acdf69a36dcc0966a8819f3b6918530ad3e0c67 0001-OpenSSL-Use-constant-time-operations-for-private-big.patch
+sha256 5663da175ecc344c90bea8c95ab831ad47a8002ccbb834f6c091705b92e90e71 0002-Add-helper-functions-for-constant-time-operations.patch
+sha256 e5a6bc9f587351d4495740239ceb0a64958a59b3e875722dcaeb4c93fa517f64 0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch
+sha256 aa5b722bebbaf175ff89a3653c3d048afe0d0f866989fca6b4c8e882a864392a 0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch
+sha256 bad9eeaeb118f88303a7a718820b3ba03d705e99b6183b3c44556bedf99db423 0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch
+sha256 ae7be450f652f6f77ad868856ab61ba6cb6d7e768585cf5f9f9f674a66e05b40 0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch
+sha256 86b731c787ca58ac001d20fb769b136e2ca76bf81a8465a8e72c50573cfc4b09 0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch
+sha256 ff7305005217a34818dae247886b9fb1b1db781ab31fb5eac9ebdd9cb0d1edfe 0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch
+sha256 707057cc0e60fe763350f82135dbe407bc289a4958879c8ff1e9413243a1caa4 0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch
+sha256 82d8ae4fabfe3674bcb5412befe3a74e40d6485906589c219be72e4fd1e70baa 0010-SAE-Fix-confirm-message-validation-in-error-cases.patch
sha256 76eeecd8fc291a71f29189ea20e6a34387b8048a959cbc6a65c41b98194643a2 README
diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
index f56637f42e..54400e66d0 100644
--- a/package/wpa_supplicant/wpa_supplicant.mk
+++ b/package/wpa_supplicant/wpa_supplicant.mk
@@ -6,6 +6,17 @@
WPA_SUPPLICANT_VERSION = 2.7
WPA_SUPPLICANT_SITE = http://w1.fi/releases
+WPA_SUPPLICANT_PATCH = \
+ https://w1.fi/security/2019-1/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch \
+ https://w1.fi/security/2019-1/0002-Add-helper-functions-for-constant-time-operations.patch \
+ https://w1.fi/security/2019-1/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch \
+ https://w1.fi/security/2019-2/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch \
+ https://w1.fi/security/2019-1/0005-SAE-Minimize-timing-differences-in-PWE-derivation.patch \
+ https://w1.fi/security/2019-1/0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch \
+ https://w1.fi/security/2019-1/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch \
+ https://w1.fi/security/2019-1/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch \
+ https://w1.fi/security/2019-1/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch \
+ https://w1.fi/security/2019-3/0010-SAE-Fix-confirm-message-validation-in-error-cases.patch
WPA_SUPPLICANT_LICENSE = BSD-3-Clause
WPA_SUPPLICANT_LICENSE_FILES = README
WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
--
2.11.0
next prev parent reply other threads:[~2019-04-11 10:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-11 10:42 [Buildroot] [PATCH 1/2] package/hostapd: add upstream 2019-1, 2, 3 security patches Peter Korsgaard
2019-04-11 10:42 ` Peter Korsgaard [this message]
2019-04-11 10:47 ` Baruch Siach
2019-04-11 11:02 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190411104215.8317-2-peter@korsgaard.com \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.